From 72de265c1d16e88caa7becde00895371ddaeddac Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 19 Nov 2020 15:29:28 +0000
Subject: [PATCH] Implement secure RBAC for share access rules

This commit updates the policies for share access rules to understand scope
checking and account for a read-only role. This is part of a broader series of
changes across OpenStack to provide a consistent RBAC experience and improve
security.

Change-Id: I12026c7874620abb076df979f0492f6d1b8563fd
---
 manila/policies/share_access.py | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/manila/policies/share_access.py b/manila/policies/share_access.py
index 9844427ce8..622485cb9a 100644
--- a/manila/policies/share_access.py
+++ b/manila/policies/share_access.py
@@ -13,6 +13,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from manila.policies import base
@@ -20,21 +21,40 @@ from manila.policies import base
 
 BASE_POLICY_NAME = 'share_access_rule:%s'
 
+DEPRECATED_REASON = """
+The share access rule API now supports system scope and default roles.
+"""
+
+deprecated_access_rule_get = policy.DeprecatedRule(
+    name=BASE_POLICY_NAME % 'get',
+    check_str=base.RULE_DEFAULT
+)
+deprecated_access_rule_index = policy.DeprecatedRule(
+    name=BASE_POLICY_NAME % 'index',
+    check_str=base.RULE_DEFAULT
+)
+
 
 share_access_rule_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'get',
-        check_str=base.RULE_DEFAULT,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description="Get details of a share access rule.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/share-access-rules/{share_access_id}'
             }
-        ]),
+        ],
+        deprecated_rule=deprecated_access_rule_get,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.RULE_DEFAULT,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description="List access rules of a given share.",
         operations=[
             {
@@ -42,7 +62,11 @@ share_access_rule_policies = [
                 'path': ('/share-access-rules?share_id={share_id}'
                          '&key1=value1&key2=value2')
             }
-        ]),
+        ],
+        deprecated_rule=deprecated_access_rule_index,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
 ]